An Introduction To SOAR

Gartner recently announced a new category in their cybersecurity technology analysis called Security Operations, Analytics, and Reporting. On occasion, you will also hear cybersecurity professionals call it SOAPA (security operations analytics platform architecture) instead, perhaps because they want to punish us with yet another cybersecurity acronym, but pay them no mind, Gartner calls it SOAR and so should we. In a sense, SOAR really can help your CSOC feel like it has wings. SOAR is a security reporting and operations platform that uses machine-readable data from a wide range of different sources to provide management, analysis and reporting capabilities in support of cybersecurity analysts. SOAR platforms apply decision making logic, combined with context, to provide formalized workflows and enable the informed triage of cybersecurity remediation tasks. SOAR platforms provide the actionable intelligence that you need to stay on top of your workflow.

What’s The Difference Between SOAR vs SIEM?
SIEM has been around for some time and during that time it has evolved from being a security event correlation tool to a security analytics system. Traditionally SIEM is the practice of aggregating your security logs and events, to give you visibility into what is happening in your organization from a cybersecurity perspective. Evolution of the tools we use is a continuous process and while the alerts of suspicious behaviour are necessary, the real goal is to act as quickly and effectively as possible to that alert. While a traditional SIEM will let you know something is going down on your networks, SOAR platforms enable you to act on that information. SOAR gathers together and consolidates all of the data from your security applications and threat intelligence feeds, but goes a step further than SIEM by enabling you to automate your responses and coordinate automated security tasks across your connected applications and processes. SOAR enables you to aggregate third-party threat intelligence from multiple sources while giving you the ability to develop playbooks consisting of quality, actionable activities in response to any threats.

How Can SOAR Help A Cybersecurity Analyst?
Physicist William Pollard once said that "Information is a source of learning. But unless it is organized, processed, and available to the right people in a format for decision making, it is a burden, not a benefit” and this doubly applies in the cybersecurity space. What is most remarkable about this 19th-century quote is that it succinctly describes a problem that most modern will CSOC teams face at some point. Very often CSOC analysts can become overwhelmed by the sheer amount of alerts and information they have available to them, often spread across different systems. A large part of your average CSOC analysts time is spent sifting through the information in order to organize and present it in a way that is conducive to decision making. This is where SOAR comes in and seeks to unburden CSOC analysts from these tasks, freeing them up to focus on higher priority work and delivering a measurable return on investment over a relatively short period of time. It's worth mentioning that the best SOAR platforms are those that can show that can demonstrate they are delivering an ROI and typically you should expect to see a clear 15%+ saving on your cybersecurity teams time.

What Capabilities Should A Modern SOAR Platform Have?
Endpoint Detection & Response - After prioritizing security alerts, security analysts then want to dig deeper into incidents by investigating and monitoring endpoint behaviour, making endpoint detection and response (EDR) a critical part of any SOAR platform.

Vulnerability Management - Part of a SOC analysts job is knowing which alerts need to be prioritized and managed, these decisions are typically driven by vulnerability management capabilities of a SOAR platform and based on live data.

Threat Intelligence - Integrate SOAR into any number of threat intelligence platforms and sources to enable analysts to quickly compare potential threats against known threats.

Case Management Based Incident Response - Analysts collect, process and analyze security data, but they need to be able to leverage that in order to prioritize alerts and respond to threats as quickly as possible. The incident response capabilities of a SOAR platform are critical to this.

Playbook Management - Because SOAR platforms are geared towards incident response, an essential part of SOAR is the ability to create and manage playbooks that align with your incident response policies and streamline your incident response processes.

SOAR Is An Essential Part Of Any Cybersecurity Effort
The constantly growing threat of cyberattack, as well as the administrative burden involved in data security management, is putting pressure on SOC’s who simply cannot afford a data breach or the associated operational disruption and reputational damage. SOAR provides cybersecurity teams with a different approach to the provision of security, one that is unrestricted by manual processes and which leverages automation, predictive analytics and (increasingly) AI to help identify and respond to unauthorized intruders before they manage to get a foothold in their networks. SOAR promises to deliver a way of reducing attacker dwell times (the time it takes to detect a threat after the initial compromise) as well as detection and remediation (containing the threat once it has been identified) times. By integrating automation, incident management, orchestration processes, with visualization and reporting beneath a single pane of glass, SOAR provides a fast and accurate way to process alert and log data, helping analysts identify and respond to attacks that may already be underway, acting as a force multiplier for SOC teams and enabling them to become exponentially more efficient in the way they deal with their workflows.